Skip to content

Responsible Disclosure Policy

This policy is intended to give guidance for submitting potential vulnerabilities discovered on Moonpig Group's website, mobile apps or other resources.

Following the responsible disclosure process allows us to take steps to address any vulnerabilities, thereby protecting our customers and systems.

We value those who take the time and effort to report security vulnerabilities according to this policy. However, we are currently unable to offer financial incentives or gifts for raising vulnerability disclosures.

 The scope of this policy includes:

  • *.moonpig.com

  • *.moonpig.net

  • *.moonpig.io

  • *.moonpiggroup.com

  • *.moonpig.group

If you have identified a vulnerability that you wish to disclose, we ask that you:

  • Email [email protected] with a high-level summary, including the type of vulnerability and affected domain.

  • Don’t access unnecessary, excessive or significant amounts of data. 

  • Only use your own accounts to demonstrate impact. Don't target any of our customers’ accounts.

  • Please do not discuss or post vulnerabilities without our consent (including blog posts, PoC's on YouTube and Vimeo).

  • Don’t run any automated tools against our website or APIs (examples include, but are not limited to, Nikto, Burp scanner, Nessus, etc).

  • Don’t target our physical security, perform any social engineering, denial of service, spam or target applications of third parties, or otherwise break any laws.

What you can expect from us:

  • We’ll respond to you within 5 business days acknowledging your report.

  • We’ll keep you up-to-date as we investigate and address your report.

  • We consider the impact, severity and complexity of the vulnerability when prioritising a fix for any reported issues. Given this, please understand that it may take some time for a fix to be implemented.